Fix unauthorized column reordering
Users could reorder columns they didn't have access to. Fixed by limiting ColumnScoped to User::Accessor#accessible_columns. References https://hackerone.com/reports/3449905
This commit is contained in:
@@ -7,6 +7,6 @@ module ColumnScoped
|
||||
|
||||
private
|
||||
def set_column
|
||||
@column = Current.account.columns.find(params[:column_id])
|
||||
@column = Current.user.accessible_columns.find(params[:column_id])
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user